Block Faces Lawsuit: A class action lawsuit against Block Inc. claims that the company’s well-known payment app, Cash App, has poor security procedures. The case stems from an incident in December 2021 in which a former employee stole personal data from almost 8.2 million Cash App Investing users.
The lawsuit also makes reference to a recent flurry of fraudulent and account-breaching Cash App activity. Block, formerly known as Square, has not given affected users refunds, and it is currently unknown whether the fraudulent charges are connected in any way to the December 2021 incident.
The lawsuit does not provide evidence to link these events, according to Forbes, which broke the initial news of it.
What is Known About the Lawsuit
According to the lawsuit, Block was “negligent” in its security practices, and Cash App did not maintain “reasonable and adequate” data security measures to protect its customers’ information.
It also mentions steps Block should have taken to avoid the December 2021 data breach, such as securing internet-facing assets, collaborating with various members of Block’s security team, and employing a “least privilege” approach to detect intrusions.
read also: Profanity Filters: Everything You Need to Know About Profanity Filters
“These are basic, common-sense security measures that every business, not just those handling sensitive financial information,” the suit states. “Defendants should be doing even more with highly sensitive personal and financial information in their possession and control.” Defendants could have avoided this [data breach] if they had implemented these common-sense solutions.”
Block is also accused of failing to follow the Federal Trade Commission’s guidelines for maintaining reasonable and appropriate data security for customers.
Information about the December 2021 Breach
The incident that started the lawsuit happened in December of last year. Block experienced a breach where a former Cash App employee stole a sizable amount of customer data. According to Block, the former employee stole the data by using the access they had while they were employed by the company.
Data points like users’ full names, brokerage account numbers, portfolio values, portfolio holdings, and stock trading activity for one trading day were among the data points stolen. However, no passwords or private data, such as Social Security numbers, were compromised by the incident.
The sheer number of people who could have been impacted by the incident was a major worry. At the time, Block informed the U.S. Securities and Exchange Commission (SEC) that it would contact 8.2 million former and current clients. The plaintiffs in the case emphasized the harm brought on by the lengthy interval between the incident’s occurrence and its SEC report.
Plaintiffs and class members suffered harm that they could have avoided had a timely disclosure been made, the lawsuit claimed. “Block offered no explanation for the four-month delay between the initial discovery of the breach and the belated notification to affected customers,” it said.
Recent Breaches of Customer Accounts on Cash App
The lawsuit also makes reference to several current Cash App account hacks, using them as an illustration of the damage the December 2021 hack caused. Many Cash App users have expressed their dissatisfaction over a third party accessing their accounts and stealing their money.
According to a recent Vice Motherboard report, hackers are selling Cash App login credentials on social media, the dark web, and some shady websites.
Although the lawsuit asserts that the December 2021 incident and the recent account breaches are connected, this connection is not immediately clear. However, affected users are urged to be alert for id theft warning signs.
Another Jack Dorsey-founded business is being investigated
The lawsuit was filed this week in response to criticism of another well-known tech company’s cybersecurity practices. Jack Dorsey, the CEO and founder of Block, also helped found Twitter, though he resigned from the board of directors earlier this year.
Peiter Zatko, Twitter’s former security chief, detailed the company’s negligence and “extreme, egregious deficiencies” against hackers and cyber threats in a scathing whistleblowing complaint earlier this week, which was first reported by the Washington Post.
Zatko, also known as “Mudge” in the cybersecurity community, claimed that Twitter had broken the terms of its own FTC agreement by asserting that it had adequate cybersecurity measures in place.
Twitter was allegedly using out-of-date software and giving staff members unmonitored access to critical computing, which may have contributed to the numerous hacks the tech company has experienced over the years. In one such hack, a brazen Bitcoin scam involved the takeover of numerous well-known Twitter accounts.